Apple and Meta (Facebook), two of the world’s largest technology companies, shared their users’ private information, such as addresses, phone numbers and IP addresses, with hackers who they pretended to be policeas reported Bloomberg, who had access to the details of the ongoing investigation. Both companies fell for the trap in mid-2021, believing the “emergency data request” sent by cybercriminals was real.
Emergency Data Request (EDR) is a kind of legal procedure that can be used by security guards in order to obtain necessary information from a user to be able to conduct an investigation. These types of requests does not require a court order, since it is considered urgent and is performed, in most cases, when there is a life or death situation. Apple, Meta and other companies are obligated to share this data once they have verified that the request is real.
Apple and Meta, in fact, seem to have a rigorous system for check that the procedure is legitimate. “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said. But how could they provide data to a bogus request?
Accept or reject the request, a decision of life or death
According to investigations, the hackers could have sent the fake emergency data requests via real police directions. Falsify, in addition, the signatures of the agents. Accessing internal police systems seems like a straightforward task for cybercriminals, and the practice of sending data requests to obtain information from users is, he says. Krebs on safety, “very effective”. Mainly because the companies concerned – like Apple and Meta, in this case – are obliged to accept a request for these characteristics when they consider that the life of one or more people may be in danger.
This is not the first time this method has been used. to obtain private information from users who use a platform. According to Bloomberg, the practice of falsifying “emergency data requests” began in January 2021, targeting a wide variety of companies operating in the technology sector. Snap Inc. (Snapchat’s parent company) also appears to be one of those affected. However, it is unclear if the company eventually agreed to the request and shared its users’ data with the hackers.
Even so, Meta, Apple, and other companies that may experience this type of attack, or have been involved in similar scams in the past, have different security measures to prevent future incidents.
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we did in this case.”
Andy Stone, spokesperson for Meta
Who is behind the Apple and Meta hack?
Everything indicates that the attack against Apple and Meta was organized by a team of teenage hackers and minors located in the United States and United Kingdom. The team was called “Recursion Team” when they started this practice, but according to investigations, they are currently disbanded.
Lots of members now appear to be part of a LAPSUS$ game, the “Latin American” team that hacked Nvidia, Microsoft, Okta, Samsung or Mercado Libre. Interestingly, London police arrested seven members of the band just days ago. One of them, the alleged leader of LAPSUS$ and who could also be involved in hacking different companies via the emergency data request, is 16 years old and lives with his parents in Oxford.